Senior Department of Homeland Security officials are working to determine if a ransomware attack on government contractor Johnson Controls International has compromised sensitive physical security information such as DHS floor plans, according to internal DHS correspondence reviewed by CNN.
Johnson Controls, a major manufacturer of alarm and building automation systems, "holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities," according to the internal memo.
The looming potential government shutdown -- which could start on Sunday morning barring a deal struck in Congress -- makes it "especially time sensitive" to determine which DHS offices might be affected by the ransomware attack, the memo said.
"Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers," the memo said. But it was unclear if the cybercriminal hackers accessed that information. "We do not currently know the full extent of the impact on DHS systems or facilities," it states.
The incident is a stark reminder for US officials of the cybersecurity risks they take on by working with private contractors for key government services. The Biden administration has tried to tighten cybersecurity for government contractors by compelling them to meet a minimum set of security standards.
Ransomware gangs often target US government contractors because of the sensitive data they hold, which can increase their leverage in ransom negotiations. But it's unclear if the hackers in this case have demanded a ransom.
The cyberattack hit Johnson Controls in the last week, causing disruptions to internal IT systems and knocking some of the company's subsidiary websites offline.
The incident is expected to continue to cause disruptions to some of Johnson Controls' business operations, the company said in a filing with the US Securities and Exchange Commission on Wednesday. Johnson Controls has hired "external cybersecurity experts" to recover from the "cybersecurity incident," and is in touch with its insurers, the SEC filing said.
A spokesperson for DHS did not immediately respond to a request for comment.
Trent Perrotto, a spokesperson for Johnson Controls International, declined to comment when CNN asked what DHS data the company stores and whether sensitive physical security information was compromised in the cyberattack. Perrotto referred CNN to the company's SEC filing.
CNN could not independently confirm which cybercriminal group was responsible for the breach of Johnson Controls.
DHS officials are also checking to see whether any personally identifiable information of DHS officials was swept up in the hack, according to the internal correspondence reviewed by CNN.